Final

Question 1

What are the four use cases for the MITRE ATT&CK Framework?

Answer 1

Threat intelligence

Detection
and analysis

Adversary emulation
and red teaming

Assessment and engineering

Question 2

What is the ATT&CK Navigator?

Answer 2

It helps do annotation and navigation for different attack techniques.

Question 3

What is the Pyramid of Pain?

Answer 3

The Pyramid of Pain defines levels of indicators, each escalating in difficulty for adversaries to alter

Question 4

What is the Atomic Red Team project?

Answer 4

An open source project that provides red team content that aligns with ATT&CK that can be
used to test analytics

Question 5

What are the six levels of the Pyramid of Pain? Which is the most difficult to defend against.

Answer 5

TTPs
Tools
Network/Host Artifacts
Domain names
IP address
Hash Values
The most difficult to detect and protect against are TTPs

Question 6

What is Whois?

Answer 6

Gives information about a website like the owner, register, address of registrar and register.

Question 7

Nslookup?

Answer 7

Provides IP’s and addresses, can also be used to search for mail servers.

Question 8

What is a vulnerability assessment?

Answer 8

Gathers data from public resources and various tools to identify open ports and identify potential vulnerabilities that can be exploited.

Question 9

How do you start a simple http server from the terminal?

Answer 9

python -m http.server 80

Question 10

What is OSINT and what are some examples?

Answer 10

Open Source Intelligence, used to gather information about a target.
Shodan, Linkedin, whois, dnsdumpster, dnslytics

Question 11

What are linpeas and winpeas?

Answer 11

Scripts that determine vulnerabilities for privilege escalation

Question 12

What is a sticky bit?

Answer 12

An option in Linux that is set on directories that prevent users that share access to a directory from deleting files and sub-directories within it.

Question 13

cpassword attack?

Answer 13

Retrieves and cracks the GPP (Group Policy Preferences) password on unpatched systems.

Question 14

LDAP?

Answer 14

Windows
(Lightweight Directory Access Protocol)
Used to manage and interact with users, susceptible to sniffing and MITM attacks. Sends credentials in plain text

Question 15

Kerberoasting

Answer 15

All
An attacker gains the Kerberos password hash and decrypts in an offline password attack

Question 16

What is NTLM and how is it cracked?

Answer 16

Windows
NT LAN Manager
Easy to crack password hashes, doesn’t need to be cracked in order to be used over the network in a pass the Hash attack. psexec command

Question 17

LSASS?

Answer 17

Local Security Authority Subsystem Service
Stores Windows credentials in plaintext through Windows 7 / Windows 2008

Question 18

LSA Secrets?

Answer 18

Windows
Local Security Authority stores passwords, credentials. The Registry contains the info required to load and decrypt the LSA secrets

Question 19

DLL Hijacking

Answer 19

Windows
Replaces a Data Link Library with an infected file, when the application loads the file will be called upon.

Question 20

What is enum4linux?

Answer 20

A way to enumerate Windows Active Directory
Shows ip and domain name,SID,OS info, users, password policy, and groups are revealed

Question 21

Active Directory also typically runs what?

Answer 21

Windows DNS
The DNS server may have software vulnerabilities which may be exploited

Question 22

What are some ports associated with Active Directory?

Answer 22

TCP 88:
Kerberos

TCP & UDP 389:
Lightweight Directory Application Protocol (LDAP)

Question 23

What is rpcclient?

Answer 23

A way to enumerate Active Directory

querydominfo:
Gives domain info

enumdomusers:
Gives user info

enumdomgroups:
gives group info

Question 24

john the Ripper?

Answer 24

The original tool for cracking password hashes of most popular types. Linux, Windows

Question 25

Hashcat?

Answer 25

Cracks password hashes, faster than John the Ripper

Question 26

Rainbow tables?

Answer 26

A database of password hashes and the plaintext equivalent.

Question 27

What is Hydra?

Answer 27

Tool for online password attacks.
-l singular user
-L List of user accounts
-P List of Passwords

ssh://192.168.1.123
server example

Question 28

Password Spraying?

Answer 28

Using a long list of passwords against a small number of user accounts.

Question 29

Credential Stuffing

Answer 29

Uses published breach data to leverage credentials reused by users

Question 30

Hash-identifier?

Answer 30

Used to determine the hashing algorithm used to generate a password hash (which then is in turn used to crack the password hash)

Question 31

What is and where is the Windows SAM file?

Answer 31

Security Accounts Manager

stored in the %WINDOWS%\SYSTEM32\CONFIG\

Encrypted weakly, encryption key is stored in the SYSTEM file

Question 32

What is the LM Hash?

Answer 32

Password hash on a Windows system

14 bytes, 2 groups of 7 bytes are stored in separate blocks

Converted to UPPER CASE

Question 33

What is Mimikatz?

Answer 33

Tool used to extract passwords stored in memory of the system it is used on.

Question 34

What is 2FA/MFA?

Answer 34

Two-factor/Multi factor authentication

If you attempt to log in from a new source you will get a confirmation on another device like a smartphone

Question 35

How to find the kernel version on linux?

Answer 35

uname -r

Question 36

How to load just the server headers on curl?

Answer 36

curl -i

Question 37

What are some common nmap switches?

Answer 37

-sC is a script scan -sV is a version scan
-Pn is no ping -sP is ping sweep
-p- pings all ips

Question 38

Specialized google searches used by penetration testers to enumerate aspects of an org’s internet-facing hosts are called what?

Answer 38

Google Dorks

Question 39

What are wget and certutil?

Answer 39

wget is a GNU command-line tool to download files.

certutil is a Windows tool that can view Certificates as well as send and receive files

Question 40

What is netcat used for?

Answer 40

Used to establish a simple network and receive files from incoming connections.

nc -nlvp 80

-n Do not perform dns lookups
-l listens
-v Will type any connections received
-p port number

Question 41

What are common ports for a domain controller?

Answer 41

TCP/UDP 53-
DNS

UDP 88-
Kerberos authentication

TCP 135-
connect to clients and other domains

TCP 139 | UDP 138-
File Replication Service between domain controllers

TCP & UDP 445-
Replication, User and Computer Authentication, Group Policy,

Question 42

What is DirBuster/Gobuster and how do you use it?

Answer 42

Brute force pen testing tools, Dirbuster is GUI, and Gobuster can be used in command line.

-u target ip
-w wordlist to use

Question 43

What is msfvenom and how does it work?

Answer 43

msfvenom is a command-line tool that combines payload generation and encoding.

-p add custom payload
lhost=(attacker ip)
lport=4444
-f file type you want back

Question 44

builtwith.com

Answer 44

Show’s details about a website and how it functions

Question 45

What is the traditional attacker methodology?

Answer 45

Reconnaissance

Scanning & Enumeration

Exploitation & Gaining Access

Maintaining Access & Covering

Question 46

What is wifiphisher?

Answer 46

A rogue Access Point framework for conducting red team engagements or Wi-Fi security testing.